Re: [PATCH v4 30/30] network: eliminate pointless host input/output rules from nftables backend

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 30, 2024 at 01:44:19PM -0400, Laine Stump wrote:
> The iptables backend (which was used as the model for the nftables
> backend) used the same "filter" and "nat" tables used by other
> services on the system (e.g. firewalld or any other host firewall
> management application), so it was possible that one of those other
> services would be blocking DNS, DHCP, or TFTP from guests to the host;
> we added our own rules at the beginning of the chain to allow this
> traffic no matter if someone else rejected it later.
> 
> But with nftables, each service uses their own table, and all traffic
> must be acepted by all tables no matter what - it's not possible for
> us to just insert a higher priority/earlier rule that will override
> some reject rule put in by, e.g., firewalld. Instead the firewalld (or
> other) table must be setup by that service to allow the traffic. That,
> along with the fact that our table is already "accept by default",
> makes it possible to eliminate the individual accept rules for DHCP,
> DNS, and TFTP. And once those rules are eliminated, there is no longer
> any need for the guest_to_host or host_to_guest tables.
> 
> Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
> ---
> 
> I've just #ifdef'ed out the code that adds these rules so that it
> remains there as an example if someone wants to add in some different
> guest<->host rules in the future. I could instead completely remove
> all the now-uncompiled code, and just leave a comment referencing the
> upstream commit ID of the last commit that still contained all of that
> code. I'm fine either way.

I'm fine with an #if for a while. We can purge it later if we
see no signs of really needing it.

> 
>  src/network/network_nftables.c                |  36 +++-
>  .../nat-default-linux.nftables                | 104 ----------
>  .../nat-ipv6-linux.nftables                   | 182 ------------------
>  .../nat-ipv6-masquerade-linux.nftables        | 182 ------------------
>  .../nat-many-ips-linux.nftables               | 104 ----------
>  .../nat-no-dhcp-linux.nftables                | 182 ------------------
>  .../nat-tftp-linux.nftables                   | 130 -------------
>  .../route-default-linux.nftables              | 104 ----------
>  8 files changed, 33 insertions(+), 991 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux